Private health records of millions of Australians could potentially be exposed using data-matching exercises using on datasets published by the federal government, researchers say.

De-identified historical health data released by the Department of Health can in fact be re-identified using known information about the person, such as their medical procedures and year of birth, to find their record. (We first saw this at The Sydney Morning Herald.)

The breach potentially exposes personal health records such as if a patient is on HIV medication or has seen a psychologist.

A report, published by Dr Chris Culnane, Dr Benjamin Rubinstein, and Dr Vanessa Teague from the University of Melbourne’s School of Computing and Information Systems, highlights risks in data from the Australian Medicare Benefits Scheme (MBS) and the Pharmaceutical Benefits Scheme (PBS) released to the public in August 2016.

The study has found patient records matching the online public information of seven prominent Australians, including three former or current MPs and an AFL footballer.

The researchers cautioned that a unique match may not always be accurate but confidence could be improved by cross-referencing other publicly available data sets.

Ten per cent of Australians were represented in the publicly available, de-identified data which could lead to re-identification, according to the University of Melbourne researchers.

The federal Department of Health, which was notified about the issue December last year, says the incident has already been referred to the Privacy Commissioner and the dataset has been removed.

“The Department is working with the University of Melbourne and has already acted to improve its processes. The Department has not been aware of anyone being identified,” a spokesperson told Fairfax Media.